Bug 1301295

Summary: [abrt] BUG: unable to handle kernel NULL pointer dereference at 0000000000000023 [udf]
Product: [Fedora] Fedora Reporter: andreas.stoeckel
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: andreas.stoeckel, gansalmon, itamar, james, jonathan, kernel-maint, madhu.chinakonda, mchehab
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/3370e2a0cde321b9f952b37c0a9c2e750851d792
Whiteboard: abrt_hash:3eb3a73ab87cd210a9299dbda55a073d5bd841e0;VARIANT_ID=workstation;
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-26 16:55:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: dmesg
none
UDF error check none

Description andreas.stoeckel 2016-01-23 19:27:48 UTC 
Description of problem:
The problem occured when opening a BluRay on an external USB drive in VLC (GoT SE4 Disc 4) and caused the entire computer to hang. However, I was not capable of reproducing the problem.

Additional info:
reporter:       libreport-2.6.3
BUG: unable to handle kernel NULL pointer dereference at 0000000000000023
IP: [<ffffffffa05d00ab>] udf_try_read_meta+0x3b/0xc0 [udf]
PGD 0 
Oops: 0000 [#1] SMP 
Modules linked in: snd_seq_dummy loop nls_utf8 udf crc_itu_t xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_broute bridge stp llc ebtable_filter ebtable_nat ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_raw ip6table_security ip6table_mangle ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_raw iptable_security iptable_mangle fuse snd_hda_codec_via snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel ppdev snd_hda_codec coretemp snd_hda_core iTCO_wdt iTCO_vendor_support gpio_ich snd_usb_audio snd_usbmidi_lib snd_seq snd_hwdep snd_rawmidi snd_seq_device snd_pcm i2c_i801 snd_timer
 lpc_ich usb_storage parport_pc parport snd asus_atk0110 acpi_cpufreq soundcore shpchp nfsd auth_rpcgss nfs_acl lockd grace sunrpc binfmt_misc amdkfd amd_iommu_v2 radeon serio_raw i2c_algo_bit drm_kms_helper r8169 ttm ata_generic pata_acpi drm mii
CPU: 1 PID: 17185 Comm: vlc Not tainted 4.2.6-300.fc23.x86_64 #1
Hardware name: System manufacturer System Product Name/P5KPL/1600, BIOS 0512    03/16/2009
task: ffff8800a8638000 ti: ffff880004a10000 task.ti: ffff880004a10000
RIP: 0010:[<ffffffffa05d00ab>]  [<ffffffffa05d00ab>] udf_try_read_meta+0x3b/0xc0 [udf]
RSP: 0018:ffff880004a139f8  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff880004a13a10
RDX: ffff880004a13a18 RSI: 00000000000002d2 RDI: fffffffffffffffb
RBP: ffff880004a13a58 R08: ffff880004a13a04 R09: ffff880004a13a08
R10: 0000000000012d00 R11: 0000000000000379 R12: 0000000000000000
R13: ffff8800b543e000 R14: 00000000000002d2 R15: 0000000000000000
FS:  00007f607c207700(0000) GS:ffff8800dfa80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000023 CR3: 000000001afdc000 CR4: 00000000000006e0
Stack:
 0000000000000001 ffff8800dfa97740 0000000000000000 0000000000000246
 ffff880004a13a58 ffffffffa05d1f90 0000000000000000 00000000d6257e1d
 ffff8800a0d941d6 0000000000000001 ffff8800b543e000 00000000000002d2
Call Trace:
 [<ffffffffa05d1f90>] ? udf_find_metadata_inode_efe+0xa0/0xb0 [udf]
 [<ffffffffa05d067a>] udf_get_pblock_meta25+0x9a/0xf0 [udf]
 [<ffffffffa05d0066>] udf_get_pblock+0x36/0x40 [udf]
 [<ffffffffa05c961b>] __udf_iget+0x3b/0xa60 [udf]
 [<ffffffffa05cdaf5>] udf_lookup+0xb5/0xe0 [udf]
 [<ffffffff81227afd>] lookup_real+0x1d/0x60
 [<ffffffff81229812>] __lookup_hash+0x42/0x60
 [<ffffffff8122ac7d>] walk_component+0x1dd/0x2a0
 [<ffffffff81320425>] ? security_inode_permission+0x45/0x70
 [<ffffffff8122b718>] link_path_walk+0x178/0x530
 [<ffffffff812289bc>] ? path_init+0x1ec/0x380
 [<ffffffff8122bf88>] path_openat+0xa8/0x12a0
 [<ffffffff8122e34a>] do_filp_open+0x8a/0x100
 [<ffffffff812001c3>] ? kmem_cache_alloc+0x193/0x210
 [<ffffffff8123b4cf>] ? __alloc_fd+0x3f/0x100
 [<ffffffff8121d45a>] do_sys_open+0x13a/0x230
 [<ffffffff8121d56e>] SyS_open+0x1e/0x20
 [<ffffffff817793ee>] entry_SYSCALL_64_fastpath+0x12/0x71
Code: 54 53 41 89 cc 0f b7 da 4c 8d 4d b0 4c 8d 45 ac 48 8d 4d b8 48 8d 55 c0 48 83 ec 40 65 48 8b 04 25 28 00 00 00 48 89 45 d8 31 c0 <4c> 8b 6f 28 48 c7 45 c0 00 00 00 00 41 be ff ff ff ff 48 c7 45 
RIP  [<ffffffffa05d00ab>] udf_try_read_meta+0x3b/0xc0 [udf]
 RSP <ffff880004a139f8>
CR2: 0000000000000023

Potential duplicate: bug 1185885
Comment 1 andreas.stoeckel 2016-01-23 19:27:56 UTC 
Created attachment 1117470 [details]
File: dmesg
Comment 2 andreas.stoeckel 2016-01-23 21:54:57 UTC 
Note that the linked bug #1185885 describes a very similar problem, which also occurred when opening a BluRay disc. So it seems there is a crash bug in the UDF file system driver at least since Fedora 21 which has not been fixed.
Comment 3 James 2016-04-15 22:12:40 UTC 
This is STILL present in F23, 4.4.6-301.fc23.x86_64. Maybe it should be reported upstream.

[140460.155328] VFS: busy inodes on changed media or resized disk sr1
[140485.190418] VFS: busy inodes on changed media or resized disk sr1
[141177.280784] UDF-fs: warning (device sr1): udf_get_pblock_meta25: error reading from METADATA, trying to read from MIRROR
[141178.629216] UDF-fs: error (device sr1): udf_read_inode: (ino 12209439) failed !bh
[141178.629244] UDF-fs: warning (device sr1): udf_find_metadata_inode_efe: metadata inode efe not found
[141178.629318] BUG: unable to handle kernel NULL pointer dereference at 0000000000000023
[141178.629462] IP: [<ffffffffa0a43fbb>] udf_try_read_meta+0x3b/0xc0 [udf]
[141178.629567] PGD 0 
[141178.629601] Oops: 0000 [#1] SMP 
[141178.629655] Modules linked in: cts rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache nls_utf8 udf crc_itu_t rfcomm fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_filter ebtable_nat ebtable_broute bridge stp llc ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw bnep arc4 ath9k snd_hda_codec_hdmi ath9k_common snd_hda_codec_conexant snd_hda_codec_generic ath9k_hw intel_rapl iosf_mbi snd_hda_intel ath x86_pkg_temp_thermal snd_usb_audio snd_hda_codec coretemp mac80211
[141178.630863]  snd_hda_core kvm_intel snd_usbmidi_lib snd_hwdep snd_rawmidi iTCO_wdt iTCO_vendor_support snd_seq toshiba_wmi kvm sparse_keymap uvcvideo snd_seq_device uas videobuf2_vmalloc videobuf2_memops usb_storage snd_pcm irqbypass crct10dif_pclmul videobuf2_v4l2 btusb crc32_pclmul btrtl videobuf2_core btbcm cfg80211 btintel v4l2_common bluetooth videodev snd_timer media joydev snd rfkill mei_me i2c_i801 lpc_ich mei acpi_als shpchp soundcore kfifo_buf industrialio wmi tpm_tis tpm nfsd nfs_acl lockd auth_rpcgss grace sunrpc xfs libcrc32c i915 i2c_algo_bit drm_kms_helper crc32c_intel drm serio_raw atl1c fjes video
[141178.631833] CPU: 7 PID: 9141 Comm: vlc Not tainted 4.4.6-301.fc23.x86_64 #1
[141178.631924] Hardware name: NOVATECH LTD A15/NY3200S, BIOS 303 07/04/2012
[141178.632012] task: ffff8801a73b8000 ti: ffff880006728000 task.ti: ffff880006728000
[141178.632108] RIP: 0010:[<ffffffffa0a43fbb>]  [<ffffffffa0a43fbb>] udf_try_read_meta+0x3b/0xc0 [udf]
[141178.632233] RSP: 0018:ffff88000672ba78  EFLAGS: 00010246
[141178.632303] RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88000672ba88
[141178.632393] RDX: ffff88000672ba90 RSI: 000000000000026c RDI: fffffffffffffffb
[141178.632484] RBP: ffff88000672bad0 R08: ffff88000672ba7c R09: ffff88000672ba80
[141178.632574] R10: 0000000000000001 R11: 00000000000003e6 R12: 0000000000000000
[141178.632665] R13: ffff88000266d800 R14: 000000000000026c R15: 0000000000000000
[141178.632757] FS:  00007fea25f5f700(0000) GS:ffff8802171c0000(0000) knlGS:0000000000000000
[141178.632859] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[141178.632933] CR2: 0000000000000023 CR3: 0000000105d34000 CR4: 00000000000406e0
[141178.633024] Stack:
[141178.633054]  ffff88000266d800 0000000000000001 ffff8802171d7db0 0000000000000000
[141178.633165]  0000000000000246 ffff88000672bad0 0000000027a2eaa1 ffff8802077a99d6
[141178.633275]  0000000000000001 ffff88000266d800 000000000000026c ffff88000672bb08
[141178.633393] Call Trace:
[141178.633442]  [<ffffffffa0a44572>] udf_get_pblock_meta25+0x92/0xe0 [udf]
[141178.633514]  [<ffffffffa0a43f76>] udf_get_pblock+0x36/0x40 [udf]
[141178.633580]  [<ffffffffa0a3d4fd>] __udf_iget+0x3d/0xa80 [udf]
[141178.633660]  [<ffffffffa0a41a22>] udf_lookup+0xc2/0xf0 [udf]
[141178.633739]  [<ffffffff8123791d>] lookup_real+0x1d/0x60
[141178.633811]  [<ffffffff81238e92>] __lookup_hash+0x42/0x60
[141178.633886]  [<ffffffff8123aa16>] walk_component+0x226/0x300
[141178.633965]  [<ffffffff81336f31>] ? security_inode_permission+0x41/0x60
[141178.634054]  [<ffffffff8123b49b>] link_path_walk+0x17b/0x570
[141178.634130]  [<ffffffff8123947b>] ? path_init+0x1eb/0x380
[141178.634204]  [<ffffffff8123bd59>] path_openat+0xa9/0x1320
[141178.634279]  [<ffffffff811ec225>] ? page_add_file_rmap+0x25/0x60
[141178.634362]  [<ffffffff811acf53>] ? unlock_page+0x73/0x90
[141178.634442]  [<ffffffff8123e191>] do_filp_open+0x91/0x100
[141178.634527]  [<ffffffff8120ce87>] ? kmem_cache_alloc+0x197/0x200
[141178.634608]  [<ffffffff8124b1ff>] ? __alloc_fd+0x3f/0x180
[141178.634682]  [<ffffffff8122d32a>] do_sys_open+0x13a/0x230
[141178.638515]  [<ffffffff8122d43e>] SyS_open+0x1e/0x20
[141178.642009]  [<ffffffff817a05ae>] entry_SYSCALL_64_fastpath+0x12/0x71
[141178.645823] Code: 54 53 41 89 cc 0f b7 da 4c 8d 4d b0 4c 8d 45 ac 48 8d 4d b8 48 8d 55 c0 48 83 ec 38 65 48 8b 04 25 28 00 00 00 48 89 45 d8 31 c0 <4c> 8b 6f 28 48 c7 45 c0 00 00 00 00 41 be ff ff ff ff 48 c7 45 
[141178.654169] RIP  [<ffffffffa0a43fbb>] udf_try_read_meta+0x3b/0xc0 [udf]
[141178.658116]  RSP <ffff88000672ba78>
[141178.661912] CR2: 0000000000000023
[141178.682361] ---[ end trace ebda902e602d218c ]---

Seriously -- a kernel null ptr deref in a major FS for over a year?
Comment 4 Laura Abbott 2016-04-15 23:17:55 UTC 
Created attachment 1147800 [details]
UDF error check

Can you test the following patch? Looks like a simple case of missing an error check.
Comment 5 Laura Abbott 2016-09-23 19:46:47 UTC 
*********** MASS BUG UPDATE **************
 
We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 23 kernel bugs.
 
Fedora 23 has now been rebased to 4.7.4-100.fc23.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.
 
If you have moved on to Fedora 24 or 25, and are still experiencing this issue, please change the version to Fedora 24 or 25.
 
If you experience different issues, please open a new bug report for those.
Comment 6 Laura Abbott 2016-10-26 16:55:42 UTC 
*********** MASS BUG UPDATE **************
This bug is being closed with INSUFFICIENT_DATA as there has not been a response in 4 weeks. If you are still experiencing this issue, please reopen and attach the relevant data from the latest kernel you are running and any data that might have been requested previously.
Comment 7 Red Hat Bugzilla 2023-09-14 03:16:42 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days